Hi Koh Kim Boon,
by all means, I invite you to submit a Jira bug with the security flag,
where more DSpace commiters will take a look at the issue and evaluate it.
Here is my investigation:
This type of test tests for SQL injection attack by adding an expression to
URL parameters, that - if processed by a SQL database - will return an
error. The assumption is that such SQL error will render a different HTML
output than a valid query. The tool will then verify the resulting HTML
where no error is expected and where the error is expected. If such a
difference is found, a possible SQL injection vulnerability is reported.
Therefore I constructed 2 queries on my test instance. I tested with DSpace
master, DSpace 4.1 and DSpace 1.8.2:
curl --data "query=xxx" http://demo.dspace.org/xmlui/handle/10673/1/discover
> 2
curl --data
"query=10%27%20OR%20%2716123%27=%271612310%27%20AND%20%2716123%27=%2716124"
http://demo.dspace.org/xmlui/handle/10673/1/discover > 3
Both these queries are supposed to return an empty result set. The
difference between the HTML replies indicate only a difference in query
parameters, nothing else (plus, in case of DSpace 4 there's a "Did you
mean" suggestion which is likely to trigger this kind of alarm, but is not
present in DSpace 1.8):
--- 2 2014-05-30 14:03:23.000000000 +0200+++ 3 2014-05-30
14:03:42.000000000 +0200@@ -137,10 +137,14 @@
<ol>
<li class="ds-form-item">
<div class="ds-form-content">-<input
id="aspect_discovery_SimpleSearch_field_query" class="ds-text-field"
name="query" type="text" value="xxx" />+<input
id="aspect_discovery_SimpleSearch_field_query" class="ds-text-field"
name="query" type="text" value="10' OR '16123'='1612310' AND
'16123'='16124" />
<input xmlns:i18n="http://apache.org/cocoon/i18n/2.1";
id="aspect_discovery_SimpleSearch_field_submit" class="ds-button-field
search-icon" name="submit" type="submit" value="Go" />
</div>
</li>+<li id="aspect_discovery_SimpleSearch_item_did-you-mean"
class="ds-form-item didYouMean">+<div class="ds-form-content">Did you
mean: <a xmlns:i18n="http://apache.org/cocoon/i18n/2.1";
xmlns="http://www.w3.org/1999/xhtml";
href="discover?rpp=10&page=1&query=10' OR '1612'='162010' AND
'1612'='1612&group_by=none&e+</div>+</li>
<li class="ds-form-item last">
<div class="ds-form-content">
<a href="display-filters">Add filters</a>@@ -189,14 +193,14 @@
</table>
</div>
<p id="aspect_discovery_SimpleSearch_p_hidden-fields"
class="ds-paragraph hidden">-<input
id="aspect_discovery_SimpleSearch_field_query" class="ds-hidden-field"
name="query" type="hidden" value="xxx" />+<input
id="aspect_discovery_SimpleSearch_field_query" class="ds-hidden-field"
name="query" type="hidden" value="10' OR '16123'='1612310' AND
'16123'='16124" />
</p>
</form>
</div>
<form id="aspect_discovery_SimpleSearch_div_main-form"
class="ds-interactive-div " action="/xmlui/handle/10673/1/discover"
method="post" onsubmit="javascript:tSubmit(this);">
<p id="aspect_discovery_SimpleSearch_p_hidden-fields"
class="ds-paragraph hidden">
<input id="aspect_discovery_SimpleSearch_field_search-result"
class="ds-hidden-field" name="search-result" type="hidden"
value="true" />-<input id="aspect_discovery_SimpleSearch_field_query"
class="ds-hidden-field" name="query" type="hidden" value="xxx"
/>+<input id="aspect_discovery_SimpleSearch_field_query"
class="ds-hidden-field" name="query" type="hidden" value="10' OR
'16123'='1612310' AND '16123'='16124" />
<input id="aspect_discovery_SimpleSearch_field_current-scope"
class="ds-hidden-field" name="current-scope" type="hidden"
value="10673/1" />
<input id="aspect_discovery_SimpleSearch_field_rpp"
class="ds-hidden-field" name="rpp" type="hidden" value="10" />
<input id="aspect_discovery_SimpleSearch_field_sort_by"
class="ds-hidden-field" name="sort_by" type="hidden" value="score" />
This leads me to dismiss this report as a false alarm.
My second reason to believe this is a non-issue is that the /discover
endpoint doesn't use its parameters to construct a SQL query, it constructs
a Solr query instead. A Solr query injection vulnerability is conceivable,
but very limited in impact - both in scope and duration of its effects.
Here are the XMLUI aspects that process such URL and thus have access to
the "query" parameter:
https://github.com/DSpace/DSpace/blob/dspace-4_x/dspace-xmlui/src/main/resources/aspects/Discovery/sitemap.xmap#L149
https://github.com/DSpace/DSpace/blob/dspace-4_x/dspace-xmlui/src/main/java/org/dspace/app/xmlui/aspect/discovery/SidebarFacetsTransformer.java
https://github.com/DSpace/DSpace/tree/dspace-4_x/dspace-xmlui/src/main/java/org/dspace/app/xmlui/aspect/discovery/SimpleSearch.java
https://github.com/DSpace/DSpace/blob/dspace-4_x/dspace-xmlui/src/main/java/org/dspace/app/xmlui/wing/IncludePageMeta.java
Again, I invite to you file the bug report to stimulate more independent
review in case any of my assumptions are wrong.
Regards,
~~helix84
Compulsory reading: DSpace Mailing List Etiquette
https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette
------------------------------------------------------------------------------
Time is money. Stop wasting it! Get your web API in 5 minutes.
www.restlet.com/download
http://p.sf.net/sfu/restlet
_______________________________________________
DSpace-tech mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/dspace-tech
List Etiquette: https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette
